According to a report published by The Register, OpenAI’s ChatGPT crawler is reportedly vulnerable to manipulation, allowing it to potentially initiate distributed denial of service (DDoS) attacks on arbitrary websites. This issue remains unacknowledged by the tech company.
OpenAI’s ChatGPT API shows vulnerability to DDoS attacks
A write-up from security researcher Benjamin Flesch, shared this month via Microsoft’s GitHub, details how a single HTTP request to the ChatGPT API can instigate a flood of network requests from the ChatGPT crawler, specifically the ChatGPT-User agent. This vulnerability could amplify one API request into as many afs 5,000 requests directed at a targeted website every second.
Flesch describes the flaw as a “severe quality defect” in the handling of HTTP POST requests to a specific API endpoint called by OpenAI’s ChatGPT. This endpoint is used to return information on web sources cited in the chatbot’s output. When the chatbot references specific URLs, the attributions API fetches information from these sites. An assailant can craft a long list of URLs, each slightly different yet pointing to the same site, resulting in simultaneous requests to that site.
According to Flesch, the API does not verify if hyperlinks are repeated within the list or enforce a limit on the total number of hyperlinks submitted. This allows an attacker to send thousands of hyperlinks in a single HTTP request, effectively flooding the target website.
Using a tool like Curl, attackers can submit an HTTP POST request to the ChatGPT endpoint without needing an authentication token. OpenAI’s servers on Microsoft Azure will respond by initiating requests for each hyperlink sent through the request parameter. This action can overwhelm the targeted website, as the crawler, using Cloudflare, will access the site from different IP addresses with each request.
Best practices for preparing your organization for cybersecurity incidents
The victim site would likely receive requests from approximately 20 different IP addresses simultaneously, making it difficult for them to trace the source of the attack. Even if a website enables a firewall to block the IPs associated with the ChatGPT bot, the bot will continue to send requests.
“Due to this amplification, the attacker can send a small number of requests to the ChatGPT API, but the victim will receive a very large number of requests,” Flesch explained.
Flesch reported the unauthenticated reflective DDoS vulnerability through multiple channels, including the OpenAI BugCrowd platform and Microsoft’s security teams, but received no responses. The Register also reached out to OpenAI for comments but did not receive a reply.
Additionally, Flesch pointed out another issue related to this API, which is vulnerable to prompt injection. This flaw allows the crawler to process arbitrary questions using the same attributions API endpoint, rather than only fetching website data as intended.
Flesch criticized OpenAI for failing to implement basic security measures, such as deduplicating URLs or limiting the size of URL lists. He speculated that the API might be an experimental project for OpenAI’s AI agents, lacking the necessary validation logic to prevent this type of abuse. He noted that established norms in software development typically prevent such flaws to ensure robust performance.
“I cannot imagine a highly-paid Silicon Valley engineer designing software like this, because the ChatGPT crawler has been crawling the web for many years, just like the Google crawler,” Flesch stated. “If crawlers don’t limit their amount of requests to the same website, they will get blocked immediately.”
Featured image credit: Matheus Bertelli/Pexels
